... follow our guide to implement WordPress SSL / HTTPS TODAY

You may wonder why would we need to implement WordPress SSL/TLS, or enable WordPress on HTTPS? Let's just go on a bit on a tangent for a moment.

With 3,376 million users using the internet (and growing every day) and 1,025 million websites on the internet we can certainly say that the internet has emerged as our second dwelling place. Facebook has grown to at least 1 Billion monthly active users. We used to speak about "virtual" but the Internet has become as real as real can get, part of our everyday life.

Well, this is even more exciting, as out of these more than one billion websites a whopping 74,652,825 are based on WordPress.com or WordPress.org. Which is roughly equivalent to one site for each person in Turkey.

WordPress has certainly grown and when we have so many people who are depending on our website, it becomes our duty to provide a highly secure platform which does not compromise their security.

With great power comes responsibility!

In today's post, part of our series of informational WordPress tutorials, we'll guide you below on various ways in which you can implement WordPress SSL/TLS or WordPress HTTPS on your website.

Side note: some of the reading and work involved in this article is highly technical and requires developer knowledge. If you'd like to hire a WordPress developer these are the things that you should consider.

1. First things first. Is it SSL or TLS? Or HTTPS?

Really and truly, today it should be TLS (which is an acronym for Transport Layer Security). This is because TLS is the latest version of secure certificates which should be used. However, originally, the name of the security used was SSL (Secure Sockets Layer). Whilst, in reality, TLS is used in most cases today, most people refer to secure certificates as SSL certificates. Strictly speaking, we should be calling them TLS certificates. HTTPS means HTTP delivered over (S)ecure sockets (which is implemented via TLS certificates).

2. Role of secure certificates and how it fits with WordPress Security

SSL is the acronym that stands for Secure Sockets Layer and is a technology used for rendering standard security. It is formed by creating an encrypted link between the client's machine and the server —in short a web server and the browser on which the website will be rendered; or in case of mail clients such as MS Outlook, a connection is formed with the email server.

The technology gives a green light to the users to allow their confidential data such as bank credentials, login credentials, and social security numbers to be processed by the website. in reality, the problem is not at the website, but the communication between the website and client.

When technology was not that advanced, data was sent as plain text which made it vulnerable to malicious attacks - which were able to read the data, and of course use it for malicious reasons.

The security protocol for security formulates the usage of algorithms and determines variables for the transmitted data and link.

The following video explains really well what SSL is why you really need it on your website.

3. Why should you serve your website securely?

Owners that do not bother to encrypt the traffic on the browser need to know that they are allowing their confidential data to be read very easily by hackers. Essentially all of the data passing between the client and the web server can be read. If you are logging into a website, your credentials can be read. If you are passing credit card details these can be stolen.

If you are sending ANY confidential data, this can be read if you don't implement website security via secure certificates.

If you do not implement full-encryption, your site will be susceptible to what is known as a Man in the Middle Attack. Read more about this on Wikipedia. Tools such as WireShark make it very very easy to read traffic over the internet, and hackers setup full infrastructures to read unencrypted data.

They look for specific patterns, such as credit card numbers, social security details, password and other data which is valuable to them.

On the other hand, if you are implementing secured HTTP on WordPress, you get to leverage an encryption system that provides you several security benefits such as integrity, identity and above all confidentiality.

It allows only the server and browser to decrypt the text which is sent across the communication channel. It asserts whether the data is intact and has not modified so as to ensure the integrity of the website.

4. HTTPS and SEO

Google has announced that it will give a boost to those websites that make use of this secure technology in a blog titled, "HTTPS as a ranking signal." With this announcement, websites served over secure certificates have become a technological certainty for all the websites.

This, of course, makes the priority of implementing it on your website, that much higher. Otherwise, you're lagging behind.

Google wants security to be given utmost attention and priority. In the wake of this, the company has taken the onus to make sure that full security is being used throughout the industry. This ensures that those internet users using Google and its other services will get to have a secure communication with Google and other services.

They have also come up with the concept of "HTTPS everywhere" to foster internet security.

However, this was not enough for them. Since they have so much clout, and whatever Google says usually goes, they also added SSL as a ranking signal for SEO and search engine rankings. Essentially, if you implement this level of security on your site, you will have an advantage over those websites who do not implement it (with all other ranking signals being equal).

Will the actual migration from HTTP to HTTPS hurt my rankings? Do I lose all my backlinks?

That's a very valid concern.

You've worked a lot to acquire precious backlinks, and you wouldn't want to lose all the effort you've put into acquiring them.

However, as you will see further on, we will be performing a 301 redirect. Google understands a 301 redirect means, "Hello Google - this is still me, but I've moved to a different address". What that means is that you will not lose any of your traffic, backlinks or link juice in essence. You may want to read a little bit more about 301 redirection on the Moz and you'll find they will make our exact recommendations.

The one thing which our site lost when performing redirection to the secure URL of our site was the Social Share Counts.

This is because Facebook and most other share counters treat https://www.collectiveray.com and http://www.collectiveray.com as two completely different URLs. This is something which you will probably have to live with. In reality, the sooner you do this the quicker you are to start acquiring new share counts on your secured address.

We've done this on multiple sites besides CollectiveRay, and there was never any negative effect on rankings or traffic. As long as you do a correct setup, you should not be concerned about this.

UPDATE: Recently Google has confirmed that 301 redirects from HTTP to HTTPS lose absolutely no link juice. This is because, of course, it doesn't make sense to get a penalty for switching to something which Google is advocating.

5. What else do I need to do after I enable SSL?

If you want to make sure that you send a strong message to Google that your site has actually moved, the ideal way is to do this via the Google Search Console.

Simply add your site as if it was a new site on the Google Search Console.

Of course, this might mean that you lose some things such as Structured Data and you will need to resubmit your sitemaps. Nonetheless, we do believe this is a very strong indicator to Google that this is a valid and fully endorsed migration.

As you are probably familiar with already, some websites will show a green bar in the browser. This signifies that the website has implemented secure communication.

You can see a very clear example of this on the Paypal website.

How can you check whether your website is protected or not?

To check whether a website is SSL protected or not you can check whether the prefix https:// appears in front of the URL instead of the regular http://.

Apart from this, you can also find a padlock that is present in the address field before the website begins.

The image shown above indicates a website has an authorized SSL certificate, however, the appearance of padlock varies from browser to browser. Those websites that have purchased an Extended Validation Certificate, will display a completely green address bar, or the name of the company will appear before the URL.

Extended Validation Certificates are more expensive to purchase and implement because they require a number of additional physical checks to confirm that the web server actually belongs to the company which is implementing it.

For those who are using Safari, they will see that a green font is used to denote that the company is using EV certificate.

The following example is an EV certificate used for the Safari browser. Here the address bar does not have a green background like other browsers. Instead, they have chosen to use a green font.

Extended Validation Certificate certainly offers extended security which is apparent from its name.

This is issued to a company who has cleared all the steps in the validation process. When it comes to the legal formalities they are asked to provide their physical address in order to complete the legal authorization. There are also a few other validations which the company needs to undergo, but this is somewhat beyond the scope of this article.

By implementing WordPress HTTP(S), a 3rd party company is essentially confirming and verifying that the web server is who it is claiming to be. This agency is called the issuer of the certificate - also called a trusted Certificate Authority.

What happens when secure certificates stop working or are not correctly implemented

Using the above indicators one can know whether their secure certificates are working or not.

Likewise, users also get to know whether a website's traffic is not using encrypted or if the certificate has expired. When the padlock appears red and a red line strikes it is the indication that the website is using a self-signed certificate (which is not trusted, because it is issued by an untrusted entity) or becomes invalid, i.e. it has expired.

In this image, you can see the warning before visiting a website when the secure certificate expires. Almost all the modern browsers have the ability to warn you about the invalid certificate before a user proceeds towards an unprotected website.

After the expiration of the certificate all you need to do is to renew the certificate from the authorized place (where you originally obtained the certificate from). Moreover, it is suggested that you not let it expire at all, as this will create a bad impression of your website on the visitors.

A website is said to be a self-signed certificate if you applied for and issued a secure certificate of your own without going to a Certificate Authority to validate your certificate. This certificate is NOT TRUSTED.

Browsers generally trust only SSL certificates that are handed out by trusted Certificate Authorities. For all other cases, they display a warning for websites that are running on self-signed certificate.

HTTP to HTTPS Migration Checklist

Now that we fully understand why WordPress HTTPS will benefit our site, we will explain in detail below how to implement it on your website. We've also found an HTTP to HTTPS migration checklist which we are listing below to ensure you've covered all the steps related to migrating to HTTPS.

Before launching WordPress securely

1.1.

SSL Certification Setting

Get, configure and test the TLS certificate using SHA-2 for SSL

Server

1.2.

Google Search Console Registration

Register both domains http & https in Google Search Console, along your www and non-www versions. If you also had registered individual sub-domains or sub-directories in the Google Search Console, replicate that registration & configuration with their https version.

Google Search Console

1.3.

Rankings Monitoring

Start monitoring the site rankings in parallel with the https domain

Rank tracking software

1.4.

Current top site pages & queries identification

Identify the top pages -and related queries- attracting organic search visibility & traffic to be prioritized when validating & monitoring the site performance

Google Search Console & Google Analytics

1.5.

Current site crawling

Crawl the http site to identify and fix any internal broken links & the current Web structure before moving.

Stage Environment

1.6.

New HTTPS Web setting w/ updated internal links

Set the new Web version to make the changes, test & update the links on a stage environment, to point to the URLs (pages & resources such as images, js, pdfs, etc. too) with HTTPS

Stage Environment

1.7.

New HTTPS Web canonicalization

Update the canonical tags to include absolute URLs using https on the stage environment

Stage Environment

1.8.

New HTTPS Web canonicalization

Verify in the stage environment that all of the already existing rewrites & redirects behavior (non-www vs. www; slash vs. non-slash, etc.) are also implemented in the secure Web version as they used to work on the http one

Stage Environment

1.9.

Redirects preparation

Prepare & test the Rewrite Rules that will 301 redirect from all of the identified existing URLs (pages, images, js, etc) on the http domain to the https one

Server

1.10.

New XML Sitemap Generation

Generate a new XML Sitemap with the URLs with security implemented to be uploaded in the HTTPs Google Search Console Profile once the site is moved

XML Sitemap Generator

1.11.

Robots.txt preparation

Prepare the robots.txt to be uploaded on the https domain version when the site is launched replicating the existing directives for http, but by pointing to the https URLs if necessary

Robots.txt

1.12.

Prepare changes on any ads, emailing or affiliates campaigns to start pointng to the https URLs versions when the migration is done

Campaigns Platforms

Robots.txt

1.13.

Disavow Configuration

Verify if there were any disavow requests submitted in the past that will need to be resubmitted again for the secure URLs versions in its own Google Search Console profile

Google Search Console

1.14.

Geolocation Configuration

If you're migrating a gTLD that you are geotargeting through the Google Search Console (as well as its sub-domains or subdirectories, in case you're individually geotargeting them), make sure to geotarget them again with the secure domain version

Google Search Console

1.15.

URLs Parameters Configuration

If URLs parameters are handled through the Google Search Console the existing configuration should be replicated in the secure site profile

Google Search Console

1.16.

CDN Configuration Preparation

If a CDN is used verify that they will be able to properly serve the secure domain version of the site and handle SSL when the migration is done

CDN Provider

1.17.

Ads & 3rd-Party Extension Preparation

Verify that any served ads code, 3d party extensions or social plugins used on the site will properly work when this is moved to https

Ads & Extensions Platforms

1.18.

Web Analytics Configuration Preparation

Make sure that the existing Web Analytics configuration will also monitor the traffic of the secure domain

Web Analytics Platform

During actual migration to a secure website

2.1.

HTTPS site launch

Publish the validated https site version live

Production Environment

2.2.

New HTTPS version Web structure validation

Verify that the URL structure on the secure site version is the same than the one in the HTTP

Production Environment

2.3.

New secure version internal linking

Verify that the site links are pointing effectively to its HTTPS URLs

Production Environment

2.4.

New HTTPS version canonicalization

Verify that the canonical tags on the pages are pointing to its HTTPS URLs

Production Environment

2.5.

New HTTPS version canonicalization

Implement the rewrites and redirects from www vs non-www, slash vs. without slash, etc. in the new secure Web version

Production Environment

2.6.

HTTP to HTTPS redirect implementation

Implement the 301-redirects from every URL of the site from its HTTP to HTTPS version

Production Environment

2.7.

Web Analytics Configuration

Annotate the migration date in your Web Analytics platform & verify that the configuration is set to track the secure Web version

Update official external links pointing to the site to go to the secure version (Social Media profiles partner sites, etc.)

Official Presence in External Platforms

3.5.

Ads & 3rd-Party Extension Validation

Verify that any plugins like social buttons, ads & 3rd party code are correctly working in the secure URLs versions. You can scan your Website tolook for non-secure content with https://www.jitbit.com/sslcheck/

Ads & Extensions Platforms, SSL Check

3.6.

Campaigns update Execution

Implement the relevant ads, emailing and affiliate campaigns changes to correctly refer to the HTTPS Web version

Campaigns Platforms

3.7.

Crawling & Indexation Monitoring

Monitor the indexation, visibility & errors of both the HTTP & HTTPS site versions

Google Search Console

3.8.

Rankings & Traffic Monitoring

Monitor both HTTP & HTTPS site versions traffic and rankings activity

Web Analytics & Rank tracking Platforms

3.9.

Robots.txt configuration validation

Verify the robots.txt setting in the secure domain to make sure the configuration was properly updated

Robots.txt

This HTTP to HTTPS migration checklist was kindly created and shared with the Advanced WP Facebook group.

7. How can you add security to your WP Website?

Let's get down to the nitty-gritty and get our hands dirty. There are two ways to setup WordPress SSL:

Setting UP SSL Manually In WP website

Using The WordPress HTTPS Plugin

How to Acquire a Secure Certificate

First of all, you'll need to somehow acquire an SSL Certificate. There are of course various ways of doing this, but the easiest way to do this is via your hosting server. At InMotion hosting, you can buy the certificate and all that you need with it directly through the Account Management Panel (AMP) console. The good thing is that they'll support you very nicely if you don't want to get your hands dirty.

Included in the price of $99/year, will be the price of the required dedicated IP. There is a one-time fee of $25 since the certificate needs to be installed on the server which powers your website.

If you've got a Virtual Private Server, installing the certificate manually is very easy. We've documented the steps in our InMotion VPS review, so we won't be going through that again.

If you're not hosted with InMotion, (why not? Don't you know their servers are faster and their support better?) the procedure will be similar. Once the certificate has been bought and installed, you now need to enable WordPress SSL/TLS.

Back up in this article, we mentioned that secure certificates are issued by what is called a certificate authority. This is, a body which can "certify" that the server where you have installed your certificate is truly who it is claiming to be. This involves some work of course, and typically you'd be charged for this work.

Let's Encrypt is a new certificate authority which wants to make it easier for everybody to acquire a secure certificate, by making the process of an acquiring a certificate free.

Step 1: Install Let's Encrypt library on your server

This command will essentially copy the LetsEncrypt repository to your /opt directory.

Step 2: Generate secure certificate

The best way to generate a certificate is to use the standalone method with a keysize of 4096 (which is very freaking strong).

$ ./letsencrypt-auto certonly --standalone --rsa-key-size 4096

As soon as your run this command a window will coming up, asking you for the domain name. It is suggested that you enter both your root domain and other subdomains you plan to use the certificate with.

The next step is to read and agree to the terms of services of Let's Encrypt. Once you agree you'll be able to see the path of the .pem file. It will be located in /etc/letsencrypt/live/your-domain-name/. If you encounter any errors while creating the certificate you might want to check your firewall configuration because a number of connections will be required to create the certificates.

The certificate generated will expires in 90 days. It will have to be renewed every 90 days. This is a bit of a negative and positive point. You can find the reasons why 90-day certificates are used here. To renew the certificate you just need to run the Let's Encrypt renew script.

You might want to write a cron job for automating the process.

This is especially important if you tend to forget this. Once your certificate expires, you'll see the fugly red warning shown above, so you might want to keep this in mind.

Step 3: Generate a strong public key-cryptography security using a Diffie Hellman Group

To further increase security, you should also generate a strong Diffie-Hellman group. To generate a 4096-bit group, use this command:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

This may take a while minutes but when it's done you will have a strong DH group at /etc/ssl/certs/dhparam.pem

Now that you have an certificate, you'll need to install this on your web server.

8. How to Setup your WordPress to Use SSL (or TLS) and HTTPS (the manual way)

Once you have a secure certificate, you need to perform the next steps is to install it on your website. The very first step that needs to be done is to incorporate HTTPS in your website so as to update the URL of your website. To do this you need to go down to Settings → General and there you can update your WordPress and site URL address field.

If you have an existing website and are enabling SSL you also need to set a 301 redirect which forces all HTTP requests to be served securely. This will also make sure that none of your existing links from external websites will be lost, whilst also not lose any link juice.

This can be done by adding the code snippet below in your websites .htaccess file, which you can access via your CPanel File Manager.

You can see that this is a 301 redirect, which will make sure you don't lose any link juice. Make sure that you have replaced collectiveray.com with the URL of your website.

The above actual forces your server to serve content securely. Just as a point of note, any and all URLs under the main domain will get converted to HTTPS using the above. So any of your old links on let's say http://www.collectiveray.com/wordpress/ would automatically become https://www.collectiveray.com/wp/

For those who are on nginx servers, you should add the HTTP redirect below to convert it into HTTPS:

The following steps will help you ensure that all the content of the site will be served securely.

Configure a Secure Admin

You can configure the forcing of a secure WordPress admin (i.e. the administration part of your website or /wp-admin) via your wp-config.php file. If you wish to force security on a WordPress website which has multi-site login pages or in the admin area, all you need is to add the following code snippet to wp-config.php file.

define('FORCE_SSL_ADMIN', true);

That's mostly it, you should now be able to access your WordPress admin securely!

9. Implement HTTPS using WordPress SSL plugins

Another easy way to set up SSL on your website is to make use of a WordPress SSL plugin.

Using the Really Simple SSL plugin

The plugin of choice for enabling WordPress HTTPS on your site should be Really Simple SSL. It's a very nicely written plugin by Rogier Lankhorst. The great thing about this plugin is that it removes all of the complexity associated with enabling secure certificates on your site.

Really and truly, this is a one-click SSL activation plugin.

After you've acquired the SSL certificate using one of the methods described above, you just need to install and Activate the Really Simple SSL plugin and it will do the rest of the dirty work for you.

It actually does quite a lot of work under the hood to resolve most known issues with activating HTTPS on your website. It takes into consideration the setup of the server and performs all the changes as necessary so that you don't have to mess with anything yourself.

The below is a screenshot of the plugin after activation - it has done some work and detected that there is already a certificate installed on the server.

As you can see, you can now just click on the "Activate SSL" and you're done!

Once your website has been converted to SSL, you have a look at the settings, as can be seen in the screenshot here below.

This plugin is your one-stop shop to enable SSL.

Implement SSL using the WordPress HTTPS plugin

(This plugin seems to no longer be maintained. It hasn't been updated in over two years, so you may want to take a look at Really Simple SSL above)

First, it allows a site owner to add global SSL settings on their website. It also allows you to do this in a multisite installation. For those who do not want to enable SSL on all their content, you can choose to set the HTTPs on specific posts or pages only.

Once you've installed this, you'll find a new HTTPS item in the menu.

As a minimum, we'd suggest that you enable "Always use HTTPS while in the admin panel" so that all of your admin traffic passes through SSL.

If you click on the "Force SSL exclusively", you'll have to choose whether you want to enable security on each page specifically via the following option you'll see on your pages.

Some of the other settings of the plugin can be seen below. Most of the rest of the settings are quite advanced and you might not want to touch them unless you know what you are doing.

Other plugins to enable SSL

Of course, the above is not the only plugin which you can use to enable secure certificates. The following are a number of other options which you may want to use. Both of them ultimately achieve the same goal, of enabling HTTPS on your WordPress site.

10. Testing the correct secure certificate setup of your website

To make sure your site has been fully set up, we recommend that you test your site using this SSL SEO Checker tool, which checks whether you have the recommended WordPress SSL setup.

Also, if you are using Chrome, you can have a look at the icon right next to the URL. The following is an explanation of what each icon means.

11. Don't forget to renew your Secure Certificate

An expired certificate is a dead certificate.

If a certificate expires, you cannot renew it.

You need to get a new one re-issued and re-install it on your site. That's, of course, more headache than you really need, so just make sure to remember to renew it before it expires.

This happened to us on the anniversary of getting our first secure certificate setup. It's not a pleasant situation to suddenly see ALL your traffic go to zero. People are very wary of advancing beyond an expired certificate so the traffic hit you'll get will be huge.

We suggest setting up a reminder a couple of weeks in advance of the expiry.

You have been warmed. Expired certificates are a lot of work, so don't forget to renew it.

Want to take the easy way out?

Of course, although we make it look simple, there are times when things don't go the way you expect them to, so make sure you have your support numbers at hand just in case it all goes wrong whilst setting up your WordPress SSL functionality.

This is a limited time offer until , so get it before the offer expires.

Conclusion: HTTPS is a must

As you might have seen, although the implementation of HTTPS or SSL is not always straight-forward, it is essential. Even as of today (2018), Google has announced that it will be labelling websites as NOT SECURE, if they are not SSL-enabled. So do make sure you get this setup on your website today.

One more thing... Did you know that people who share useful stuff like this post look AWESOME too? ;-) Please leave a useful comment with your thoughts, then share this on your Facebook group(s) who would find this useful and let's reap the benefits together. Thank you for sharing and being nice!

The Outstanding HungryJPEG Bundles

Advertise on CollectiveRay.com

CollectiveRay (formerly known as DART Creations) is interested in developing partnerships with mutual benefit. If you like the stuff we publish and would like to develop a relationship, we'd be happy to hear from you. Go on - drop us a line - we'd love to hear from you :-)

Disclosure: CollectiveRay is funded personally out of pure passion for helping people working with websites. We do however generate some income through recommendations of products. This means if you click on a link and purchase an item we link to, we will receive a small sum out of that sale. We usually partner with vendors to make your purchase cheaper than buying direct.

who are we?

CollectiveRay is run by David Attard - working in and around the web design niche for more than 12 years, we provide actionable tips for people who work with and on websites. We also run DronesBuy.net - a website for drone hobbyists.